Bugzilla – Bug 594362
VUL-0: CVE-2010-3110: kernel: multiple overflows in novfs; local root exploit
Last modified: 2018-07-03 20:30:07 UTC
The kernel part of novfs contains plenty of buffer overflows and integer wrap arounds. Sample testcase attached. The whole kernel code needs review.
Created attachment 352858 [details] proof of concept ...
Created attachment 353367 [details] Patch Not sure if this patch is enough. But I believe it is needed.
BTW, this patch was generated on 11.2 sources. There is not much difference between this part of the sources except a __DbgPrint and DbgPrint. Review of the patch will be helpful. Thanks.
I dont name any case in detail here; since overflow or wraparounds are basically in every of the functions a user can trigger. So I try to explain the problem in general, underlined by examples from the code. The problem is, that the code in general trusts all the arguments it receives from userspace. The structs contain a lot of length arguments. The best would be to add a reasonable-size check after each copy_from_user(), e.g. uNumReplyFrags > 10000 || uNumReplyFrags <= 0 or so. Larger values would make no sense.(depending on whether its signed or not so it could be negative) This applies to all num or len arguments in structs passed to kernel. Then you are automatically safe from wrap arounds in calculations like uNumReplyFrags*sizeof(struct nwc_frag) which is passed to kmalloc(). Also, there is simple stack overflow in novfs_open_conn_by_addr(): cpylen = copy_from_user(addr, tranAddr.puAddress, tranAddr.uAddressLength); All copy operations like this must check whether the user give len fields exceed target buffer sizes! I attached a sample root exploit for 11.1. On 11.2 the -fstack-protector and array re-ordering of GCC just halts the machine, which is bad enough. What me also worries that users could trigger kmalloc()'s of arbitrary size and amounts since there seems no connection limiting or whatever like the normal ulimits that kick in for sockets or alike. This is since the novfs code tracks all its handles by itself, which, even worse, are also trusted from user arguments. Maybe it would be good to have a kernel developer looking at it, so he could give hints how to handle it best.
Created attachment 353706 [details] PoC for stack overflow ...
jiri, jeff, just bringing this to your attention as branch owners. Not sure if action is required from you, I would let the NOVFS guys fix this ... but perhaps advise/help is required
I am currently preparing patches which I will attach when finished.
Created attachment 356209 [details] novfs-fix-sizes.patch diffed tarball against 11.2 branch i had to manually remove the meanwhile applied patches, as it was done against GA state I think.
Assigning the bug to the team id.
folks, please give a status update. For other local root exploits our turnaround times are 1 week usually. adjust prio and severity.
Sankar, Sebastian, please let me know when you have the final version of the fix so that I can commit it to our kernel tree. Also quickly looking at the patch: it is unwise to reindent unrelated code while fixing some issue. It makes reading the patch much harder...
I am currently checking out SLE 11 SP1 sources (to make the 11.2 patch appliable on that) and then will start a build with it. QA is already verifying the other security patch on novfsd. The main problem imho is: Different departments having different styles of security-review. novfs sources went through a security review in Workgroup but none of these were caught. novfs was shipping in SLE as well since SLED 11 and none of these were caught earlier. The best move forward will be to have a dedicated person fixing novfs issues and making it upstream-quality compliant.
Kernel rpm with the patch for WGP QA are available at: http://w3.suse.de/~psankar/security/ (kernel rpm) and https://build.suse.de/project/show?project=home:psankar:branches:SUSE:SLE-11-SP1:GA Venkata (CCed) will be testing these rpms before I submit the patch to the kernel mailing list.
The testing has begun and Venkata is testing the rpms already.
After installing the kernel, keyboard and mouse stop working, just after the boot selection screen. (with the old kernel, everything was working fine) I am looking into what I did wrong during the build. I just added my patch to patches.fixes, edited series.conf, did scripts/tar-up.sh , cd kernel-source, mbuild I will update once I prepare another kernel rpm and test it in my machine before giving QA. I will update at the very earliest I can.
I did a rebuild today with the new git SLE11-SP1 branch (few commits after my previous build). This build seem to work fine. So, I am handing over to the QA now.
Login is failing with the patch. I am debugging the issue to find out which code change is causing the problem.
I have identified some issues with our MAX error checkings, related to the NULL byte that is added by novfsd (the user space daemon). I am in the process of fixing them by using different MAX macros. I will attach the patch once I complete my work.
Created attachment 373187 [details] updated patch
I am preparing the RPMs now which the QA will be testing and approving. After this, if there are no other issues(hopefully, as I've tested good in my machine), I will submit the patch to kernel@suse.de
The testing is going on and there was a holiday in India yesterday. I have the patch ready and will do: git send-mail once the QA approves. Thanks.
The QA has found that with 64 bit machines, after the patch is applied, browsing NCP volumes via Nautilus leads to a machine hang. So, I am looking at debugging this issue now.
Created attachment 374262 [details] Latest version of the patch
The nautilus hang issue was observed in only one folder. This was not a regression becuase of the security fix, as it was observed with an unpatched kernel as well. So that hang need not block the security fix. I have just sent the security patch for review/commit to Jan Kara and kernel@suse.de Thanks to Sebastian Krahmer and Marcus Meissner for the detailed security review.
I've committed the fix to SLE11-SP1 branch.
Marking the bug as RESOLVED FIXED as the patch is in our version control system. Thanks to everyone involved.
reopen and reassign to us for tracking. (cves etc.)
The SWAMPID for this issue is 34625. This issue was rated as critical. Please submit fixed packages as soon as possible. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
A kernel update for SUSE Linux Enterprise 11 SP1 was just released that mentions/fixes this bug. The released version is 2.6.32.13-0.5.1.
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ia64) SLE-HAE 11-SP1 (ia64) SLE-SERVER 11-SP1 (ia64)
Update released for: kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (i386) SLE-DESKTOP 11-SP1 (i386) SLE-HAE 11-SP1 (i386) SLE-SERVER 11-SP1 (i386)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man Products: SLE-DEBUGINFO 11-SP1 (s390x) SLE-HAE 11-SP1 (s390x) SLE-SERVER 11-SP1 (s390x)
Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ppc64) SLE-HAE 11-SP1 (ppc64) SLE-SERVER 11-SP1 (ppc64)
Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (x86_64) SLE-DESKTOP 11-SP1 (x86_64) SLE-HAE 11-SP1 (x86_64) SLE-SERVER 11-SP1 (x86_64)
The SWAMPID for this issue is 35398. This issue was rated as moderate. Please submit fixed packages until 2010-09-07. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
CVE-2010-3110
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2-devel, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi-devel, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop Products: openSUSE 11.3 (debug, i586, x86_64)
all currently interesting done I think.
*** Bug 644888 has been marked as a duplicate of this bug. ***